Thursday, June 22, 2006

Microsoft Excel 'Shockwave Flash Object' Lets Remote Users Execute Code Automatically

A remote user can create an Excel file that includes a malicious Flash file embedded using the Excel 'Shockwave Flash Object' function.

When the target user opens the Excel file, the Flash code will execute automatically without user interaction. The code will run with the privileges of the target user.

The vendor was notified on May 3, 2006.

Debasis Mohanty (aka Tr0y) discovered this vulnerability.

The original advisory, including a demonstration exploit, is available at: http://hackingspirits.com/vuln-rnd/vuln-rnd.html

Nice find Tr0y.

No comments:

Post a Comment